The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

21st Century Cures Act Compliance for HIPAA Covered Entities

Posted By on Jul 3, 2023

Although the 21st Century Cures Act did not directly amend HIPAA, subsequently Rulemaking could create Cures Act compliance challenges for HIPAA covered entitieswith regards to individuals’  access to ePHI via APIs and the security risks that may involve. This article looks at some of the potential challenges and discusses what covered entities can do to overcome them. The challenges include:

  • Information Blocking
  • Interoperability
  • Patient Access
  • Compliance Costs
  • Security Concerns
  • Legal and Regulatory Understanding
  • Workforce Training
  • Technology Integration
  • Public Perception and Trust
  • Vendor Management

The 21st Century Cures Act, enacted in the United States in 2016 “to accelerate the discovery, development, and delivery of 21st century cures and for other purposes”, was designed to support medical product development and bring new innovations and advances to patients who need them faster and more efficiently.

Title IV of the Act instructed the Secretary of Health and Human Services (HHS) and the Office of the National Coordinator (ONC) to develop standards to accelerate the exchange of health information in order to facilitate the objectives of the Cures Act. The subsequent Rulemaking has resulted in the following Cures Act compliance challenges for some HIPAA Covered Entities.

Information Blocking

One of the key provisions in Title IV of the 21st Century Cures Act is the prevention of information blocking, or practices that restrict the access, exchange, or use of electronic health information (EHI). HIPAA-covered entities must ensure they are providing proper access to EHI without compromising HIPAA regulations for privacy and security of Protected Health Information (PHI).

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Interoperability

The Interoperability clause of Title IV requires “the secure exchange of electronic health information with, and use of electronic health information from, other health information technology without special effort on the part of the user”. In 2020, HHS and ONC issued a Final Rule regarding how this clause was going to be implemented via the use of APIs.

Patient Access

The Final Rule extended the use of APIs to patients to enable them to access PHI maintained by any covered entity and transfer it to another covered entity or third-party health app of their choice. The Cures Act compliance challenge in this case is the development or acquisition of APIs that comply with the Privacy and Security Rules (notwithstanding user verification concerns).

Compliance Costs

Developing, acquiring, and implementing new systems and practices to support Cures Act compliance requires financial investments. Small providers might find these costs burdensome, especially as multiple proposed changes to HIPAA may require significant changes to policies and procedures – attracting further direct and indirect costs.

Security Concerns

Enhanced data sharing and interoperability bring increased risks for data breaches. HHS has stated that covered entities are not responsible for what happens to EHI once it is transferred to a third-party health app, HIPAA-covered entities must find a balance between improving accessibility and maintaining robust security measures to protect PHI databases.

Legal and Regulatory Understanding

The complexity of both HIPAA and the 21st Century Cures Act requires in-depth understanding and careful navigation to avoid potential legal pitfalls. Additionally, in states where local healthcare regulations preempt HIPAA, there may be scenarios in which here the local regulations overlap or conflict with HIPAA and the Cures Act, necessitating careful legal interpretation.

Workforce Training

Although most of the Cures Act compliance challenges are technology-related, some clauses may impact the day-to-day roles of workforce members. When covered entities or business associates make material changes to policies and procedures to support Cures Act compliance, it is essential impacted workforce members receive training on the revised policies and procedures.

Technology Integration

One of the issues that has hampered earlier attempts to accelerate the exchange of health information is incompatible legacy technologies. Utilizing technology that complies with both regulations might require extensive customization or adaptation of existing systems. This is a time-consuming and potentially costly process.

Public Perception and Trust

One of the biggest challenges associated with providing patients with more access to health information is explaining to patients what information they can access. Consequently, covered entities have to explain the distinction between EHI and ePHI, and that only EHI maintained in a designate record set is covered by the accessibility provisions.

Increased Vendor Management

When covered entities and business associates contract technology services to support Care Act compliance, it will be necessary to enter into a Business Associate Agreement with the technology vendors – even when the technologies operate under a “no view” model. This increases the workload for workforce members responsible for vendor management.

Cures Act Compliance: Conclusion

In conclusion, the 21st Century Cures Act increases the complexity of HIPAA compliance for many covered entities. Resolving Cures Act compliance challenges involves finding a balance between improving healthcare delivery and innovation while maintaining the privacy and security patients expect. Organizations finding it difficult to overcome Cures Act compliance challenges should seek professional compliance advice.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist